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Who we are 



Tammy Yoshi Adam 


Tammy + Yoshi: University of Washington, Computer Science 
and Engineering, Security and Privacy Research Lab 

Adam: Honorary member of the UW Security Lab 
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A Typical Day in the Lab 



MISSION 



Crash Test Dummy 

The wheel sensor's connected to the.. engine computer; 
the engine computer's connected to the.. brake computer. 
The modem automobile is completely drive-by-wire. 

•}• CRYPTANALYSIS 

You can plug into the car’s internal computer network, 
but you need to bypass the authentication scheme 
before you can get anywhere. 

HARDWARE HACKING +1 

Hack the engine. 

flfQ HARDWARE HACKING -1 

.. and the brakes. 

CONNECTIONS 

Get access to a race track for some road testing. 

Success: a Hacker Cred. Next round, 
draw an extra Mission card; you may take 
both to the Staff Video Conference before you 
decide which to play (and discard the other). 

Failure: fi] Hacker Cred 


cmi-nnSI 



CllTRIL-flLT SI 




















A Typical Day in the Lab 





MISSION 


Here’s Looking at You, Kid 

A webcam-equipped Wi-Fi robot in the kids' aisle? 
“Imagine, being able to control your toy robot from 
a friend’s house. You’re a super spy!” Time for a pro 
bono security audit. 

NETWORK NINJA 

I find your lack of encryption disturbing. 

FORENSICS -1 

Modify their logging procedures so that they record 
enough information to detect anomalous logins. 


Success: No encryption means that 
anyone can intercept and watch the toy’s 
video stream. Notify the vendor. 

fi] Hacker Cred 

Failure: ff] Hacker Cred 


COMMIT SB 
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A Typical Day in the Lab 



MISSION 


Tech or Treat? 

Halloween is fast approaching, and your haunted 
houses are the stuff of legends. 

/+: SOFTWARE WIZARDRY 

Robotic bat check, LED-o-lantern, check. Eerie 
soundtrack, check. Now choreograph the action with 
custom software. 

CRYPTANALYSIS 

Will anyone notice the secret message blinking from 
your pumpkin? 

<9 SOCIAL ENGINEERING 

After all the high-tech tricks, no one was expecting 
that you'd be hiding inside the "stuffed" scarecrow. 


Success: Hacker Cred and draw an 

Entropy Card. 

Failure: ffl Hacker Cred 


commit H 


r 
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A Typical Day in the Lab 









Wait, what? 





Yes, it's a card 


game 



inadequate user interfaces, many virtual patches can be trivially bypassed. 


ABRAHAM KANG 

▼ 

In this talk 1 will share the lessons learned from 10 years of web application firewall 
development. The focus will be on demonstrating the problems that exist today, including 


KRZYSZTOF KOTOWICZ 

▼ 

a previously unknown flaw in ModSecurity that remained undetected for many years. In 
addition, 1 will discuss many evasion techniques that are countered in ModSecurity, but 
which may be effective against other tools. 


LONG LE 

▼ 

As part of this talk, 1 will release a catalogue of protocol-level evasion techniques and a 
complete testing suite. 


KYLE OSBORN 

m 





NTROL-ALT-HACK(TM): WHITE HAT HACKir 
FOR FUN AND PROFIT (A COMPUTER SECURITY 
CARD GAME) 

Presented By: 


CHRISTIEN 

Tadayoshi Kohno 

Tamara Denning 



Adam Shostack 

CORY SCOTT 

▼ 

July 25 


MICHAEL TRACY 

▼ 

You and your fellow players work for Hackers, Inc.: a small, elite computer security 
company of ethical, white hat hackers that perform security audits and provide 


JONATHAN ZDZIARSKI 

▼ 

consultation services. Their Motto: You Pay Us to Hack You. 

In 1992, Steve Jackson Games published the game Hacker, satirizing the Secret Service raid 


TURBO TALKS 


that seized drafts of GURPS Cyberpunk. The Hacker game manual helpfully states, 
"Important Notice To Secret Service! This Is Only A Game! These Are Not Real Hacking 
Instructions! You Cannot Hack Into Real Computers By Rolling Little Dice!" Now, 20 years 
later, we wish to announce a new card game that's fun, yes, but also designed to illustrate 
important aspects of computer security. We licensed our game mechanics (Ninja Burger) 


RYAN BARNETT 

▼ 


SEAN BARNUM 

▼ 

from none other than Steve Jackson Games, then created all-new content—complete with 
illustrations and graphic design—to deal with computer security topics. 

Each person plays as a white hat hacker at a company that performs security audits and 
provides consulting services. Your job is centered around Missions — tasks that require 
you to apply your hacker skills (Hardware Hacking, Software Wizardry, Network Ninja, 


JONATHAN CLAUDIUS 

▼ 




Social Engineering, Cryptanalysis, Forensics, and more) and a bit of luck in order to 















Motivation 





Context 



Security issues litter the news 


Nearly Half a Million Yahoo Passwords Leaked [Updated] 


Apple 


HowE 


Andre 


Same old story: 

People designing product X didn't think about security 
People deploying product X didn't think about security 
People using product X didn't think about security 


Posted by samzenpus on Thursday July 12, @06:45PM 
from the protect-ya-neck dept. 


Russian Hacker Sidesteps Apple IOS In-App Purchases 


Posted by Soulskill on Friday July 13, @12:25PM 
from the price-is-right dept. 




101010 


03 
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What's worse: 

• Sometimes companies have security teams that advocate 
for security, but product teams can't justify the expense 

• Sometimes people on the product teams want security, 
but their managers can't justify the expense 

Part of the problem: awareness and priorities 
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Our Key Questions 



• How can we get product teams to think about 
security during development and reach out to 
security teams? 

• How can we get managers to invest in security? 

• How can we train the next-generation computer 
scientists in security? 

• Side question: How can we help the general public 
understand and prioritize security? 
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Strategy 



Get 'em while they're young! 

Emphasis on: 

• Highschoolers 

• Undergraduates 

• Young developers 

STEM demographic 

• (Science, Technology, Engineering, Math) 







Orientation 
























Why a Game 



The Security toolbox is too full of sticks 
Let's add carrots 

• Games, humor, etc. 

• Entice people towards security 

• Control-Alt-Hack™ is our most recent effort in this 
direction 

• There's a wide open field! 






Why a Physical Game 



Physical artifact 

• Adam: Elevation of Privilege card deck 

• Tammy + Yoshi: Discovering Security Threats card deck 

• Core Security's Exploit! 

Co-location, discussion, collaboration 

• Coffee time, lunch, TGIF 

Social "permission" to explore, admit ignorance 
Humor creates relaxed, open atmosphere 








Different Types of Games 



Different games form a spectrum of: 

• Time to learn, time to play 

• Equipment: cards, boards, dice, etc. 

Craps, War, Blackjack 

Backgammon, Chess, Go 

Trivial Pursuit, Cranium, Apples to Apples 

Settlers of Catan 

Dungeons and Dragons 






Developing Mechanics 



• We are not game designers 

• We scoured game stores for game mechanics 



• Ninja Burger from Steve Jackson Games! 
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Serendipity! 



THE COMPUTER CRIME 
CARD GAME 


















Game Mechanics 



We licensed the Ninja Burger mechanics, but re-did 
the content for our purposes 

Steve Jackson has provided incredibly valuable 
advice and feedback 

(Though any problems are purely our own) 
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CONTROL-ALT SI 


You and your fellow players work for Hackers, Inc.: 
a small, elite computer security company of ethical 
(a.k.a., white hat) hackers who perform security 
audits and provide consultation services. Their 
motto? “You Pay Us to Hack You." 

Your job is centered around Missions—tasks 
that require you to apply your hacker skills (and 
a bit of luck) in order to succeed. Use your Social 
Engineering and Network Ninja skills to break the 
Pacific Northwest’s power grid, or apply a bit of 
Hardware Hacking and Software Wizardry to convert 
your robotic vacuum cleaner into an interactive pet 
toy...no two jobs are the same. So pick up the dice, 
and get hacking! 



AGES 14 & UP 
PLAYERS 3-6 

GAME TIME APPROXIMATELY 1 HOUR 



GAME INCLUDES 

1 RULEBOOK 
3 DICE 

156 GAME CARDS 

16 Hacker Cards 
56 Mission Cards 
72 Entropy Cards 
12 Attendance Cards 

58 HACKER CRED TOKENS 
42 MONEY TOKENS 



www.ControlAltHack.com 








Delicious Contents 


























































































































































ker Card 



12 

HARDWARE HACKING 

12 

NETWORK NINJA 

8 

SOCIAL ENGINEERING 


SOFTWARE WIZARDRY 




FRANZI 



011 

0X0 

X 0 X 

9 

CRYPTANALYSIS 

S3 

12 

CONNECTIONS 

□ 

8 

BARISTA 


10 

KITCHEN SINK 


She never fails a Software Wizardry roll, no 
matter what. 


When not working as the company's resident software 
wizard, Franzi spends her time traveling to new places 
and meeting new people. Her current record is 13 
countries in one year. 


nmoL-miSl 
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Skills all hackers have 


Hardware Hacking ajff 
Software Wizardry + Vt 
Network Ninja 
Social Engineering 
Cryptanalysis 


Skills 



Extra skills 

» Barista 
^Connections 
$ $’Web Procurement 
% Forensics 
1 Lockpicking 
Q^Search Fu 

^Kitchen Sink (catchall) 


C0HTR0L4TS1 







The Mission Cards 



12 

HARDWARE HACKING 

12 

NETWORK NINJA I 

8 

SOCIAL ENGINEERING 



CRYPTANALYSIS 


t 7 # 

CONNECTIONS 


~ 8 ~ 

BARISTA 

u 


10 

KITCHEN SINK 


SOFTWARE WIZARDRY 


She never fails a Software Wizardry roll, no 
matter what. 


When not working as the company's resident software 
wizard, Franzi spends her time traveling to new places 
and meeting new people. Her cunent record is 13 
countries in one year. 


MISSION 


Lights, Camera, Hack! 

You’ve been hired to consult on a new 
cyberthriller movie. 


CRYPTANALYSIS 

Look through the script for blatant inaccuracies. 


1 SOCIAL ENGINEERING +3 

Can you convince the producers that hacking doesn't 
actually look like a speed-typing race? 


IRCK 


Success: You’re don’t know that many 
hackers that code in leather bodysuits or 
designer sunglasses, but no one in your 
office is complaining. ffl Hacker Cred 

Failure: You've already told everyone about 
consulting on the movie, so its inaccuracies 
are triply embarrassing. Q Hacker Cred 


[gmnoi-iitiS! 
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The 





dpy Cards 




LIGHTNING STRIKES 


Play this card on a rival who is about to make 
a Social Engineering roll. This card cannot be 
played on a player with a Newb Job. 


Awareness Training 

Two weeks ago the target held training seminars 
about social engineering threats. Great that 
everyone is on the alert, but it does make your 
job harder. 


+2 Social 
Keep this < 


You are at a -3 penalty to your Social 
Engineering skill on your next roll (but not 
subsequent re-rolls). 

Discard this card after use. 












How to Play 






Alice, Bob, and Carol are playing. 



Alice 


Bob 


Carol 

















































































Everyone gets: 3 Entrop 



ard, 1 Not Attending Card, and 6 

















Ready to start playing... 



















Round 1 


Phase 1: Distribute Money and Draw Entropy Cards. 

















Phase 2: Draw Mission Cards. 





















ATTENDING 


If you choose to attend the Staff Video 
Conference, play this card face down during 
Phase 2. 


If you attend the Staff Video Conference, you: 

> draw an additional Entropy card. 

> may trade or bargain with other players to 
exchange Missions. 


> may be stuck with a Newb Job, if you have 
a low Hacker Cred score (see rules). 

> may push your Newb Job onto a player 
with a low Hacker Cred score (see rules). 


If you are the only player who attends 
the Staff Video Conference, you also get 
one free re-roll during your Mission. 





































hmmm 























Phase 3: St 


Conference 














































































Phas 




Blind Trust 

Sometimes you think people will install any phone 
app, no matter where it comes from. 

Time for an experiment. 

•V SOFTWARE WIZARDRY 

Write a game that secretly takes a photo every 30 
minutes. (As a white hat. you play nice, so don't 
upload them!) 


& SOCIAL ENGINEERING 

What would make your game popular? Pigs? Birds? 
Kittens? Chainsaws? 


Success: They may have trusted you, 
but your app isn’t so blind. Some of those 
photos could be really, urn, interesting. 

fi] Hacker Cred 

Failure: You released a Trojan app—what 
were you thinking? Hacker Cred 


Mi-mi si 
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1 

. . . HACKER 

Alice 


£ 


Phai 




LIGHTNING STRIKES 


Play this card on a rival starting a Mission, 
before any die rolls are made. This card cannot 
be played on a player with a Newb Job. 


Got a Date 

You met someone charming! Get a last-minute 
reservation for tonight's date at that amazing 
Thai place. 

Roll vs. Social Engineering. 


Success: Continue with your Mission. 

Failure: £] Hacker Cred immediately. 
Continue with your Mission. 

Discard this card after use. 


COHIROH 

in tiro 






^ . HACKER 

Carol 











































. . . HACKER 

Alice 


rand() 


Play this card on a rival starting a Mission, 
before any die rolls are made. This card cannot 
be played on a player with a Newb Job. 

Got a Date 

You met someone charming! Get a l< 
reservation for tonight’s date at that 
Thai place. 

jst-minute 
amazing 

1 

Roll vs. #. Social Engineering. 



Success: Continue with your Mission. 

Failure: fi] Hacker Cred immediately. 
Continue with your Mission. 

Discard this card after use . 


12 

HARDWARE HACKING 


10 

NETWORK NINJA 

* 

11 

SOCIAL ENGINEERING 


SOfTWARE WIZARORY 



Oil 

0X0 

L 0 L 

10 

CRYPTANALYSIS 

— 

11 

SEARCH FU 


9 

KITCHEN SINK 


Once per turn, she may substitute any one skill 
for any other skill. This substitution only applies 
to one task. 


As a connoisseur of relaxation (there's nothing better 
than a lazy nap on a Saturday afternoon r ). Deb knows 
better than to face a challenge head-on when there's a 
workaround. 
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Phase 4: The Missions (Player Turns). 

































































































12 

HARDWARE HACKING 

n 

~lo 

MCTu/nov niu ia 



11 

SOCIAL ENGINEERING 



10 

SOFTWARE WIZARDRY 

sa 


10 

CRYPTANALYSIS 

11 

SEARCH FU 

KITCHEN SINK 


Once per turn, she may substitute any one skill 
for any other skill. This substitution only applies 
to one task. 




As a connoisseur of relaxation (there's nothing better 
than a lazy nap on a Saturday afternoon r } t Deb knows 
better than to face a challenge head-on when there’s a 
workaround. 































































Phase 4: The Missions (Player Turns) 
































































rand() 

NOT ATTENDING 


If you choose to NOT attend the Staff Video 
Conference (and instead have “connectivity 
issues”), play this card face down during 
Phase 2. 


\ 






























^ /\ 


BAG OF TRICKS 





































































Phase 4: The Missions (Player Turns) 




















Phase 5: Hacker Cred Bonus/Penalty 




















Phase 6: Discard Entropy Cards 




















Phase 7: Check Hacker Cred 























And that's a round! 

(...you get the hang of it as you play) 






Incorporating Learning 

Objectives 
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“Public Relations” 




Computer science can be fun! 

Computer security can be fun! 

Stereotypes are inhibitory - computer science and 
computer security can be for anyone 


£ 


Help broaden the public's understanding of the word 
"hacker" 
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Key Learning Objectives 



Computer security != laptops, desktops, and the Web 
Diversity of attack techniques and attacker goals 


Example Attack Techniques Example Technologies 


Cross-correlating data sources 

Disinformation 

Distractions 

Denial of service 

Exploiting unpatched software 

Exploiting weak passwords 

Inside information 

Insider threat 

Physical compromises 

Reverse engineering 

Sniffing unencrypted data streams 

Social engineering 

Special equipment 


Botnets 

Censorship / Anti-censorship 
Consumer home technologies 
Cyber-physical systems 
Financial systems 
Medical devices 
Military systems 
Mobile phones 
RFID 

SCADA / Infrastructure 
Standards 

Tracking / Tracking circumvention 












Social Engineering 



MISSION 


I Hack You a Latte 

You're switching it up for this company audit Tell the 
front desk that you're opening a new cafe and want to 
set up a promotional coffee cart in their lobby. 

»'< CONNECTIONS OR $’ WEB PROCUREMENT 

Of course, you need actual coffee cart equipment to 
pull this off. 

BARISTA 

12oz. non-fat split-shot, extra-hot, 3-pump mocha with 
whip. Can you keep all the orders straight? 

tV HEmMlll HIUA 1 

Plug into their internal wired network when nobody’s 
looking and pwn them. 


Success: a Hacker Cred. Choose one 
Bag of Tricks card from your hand or the 
discards; you can play the item free of charge. 

Failure: ff] Hacker Cred 


coniroi-hitS! 
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Nonstandard Target 



MISSION 


Shock Value 

Is the Pacific Northwest's power grid secure? 

SOCIAL ENGINEERING-2 


Call the IT desk (Tm a new employee!’’) and con them 
into giving you the IP (Internet) address of one of their 
servers. 


^ NETWORK NINJA 

Their computers can’t be taken down for the standard 
software update procedures—and that means that you 
can exploit code that everyone else patched in 1999. 


Success: E Hacker Cred. The managers 
are shocked; you aren't. 

Failure: ffl Hacker Cred 


cohiroi-hitSI 
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Unusual Attacks 



BAG OF TRICKS 


Dumpster Diving 

You don't mind getting dirty. You’re happy to 
dig through a company's garbage to look for 
un-shredded specs, documentation, and 
inter-office memos. This time the client’s guards 
are vigilant Rent a garbage truck, then go 
through your haul off-site. 


Play this card during a Mission. 

All your Hardware Hacking rolls for the 
Mission are automatic successes. 

Discard this card after use. 


Cost: 


H 


[OMR (Mil SB 
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Humor! 


MISSION: 


NEWB JOB 


A 


Love Is in the Air 

You’re demonstrating Wi-Fi security risks 
auditorium of 500 students as part of Onlin 
Awareness Week. 

'A NETWORK NINJA -3 

Download free software that intercepts Wi-Fi 
traffic, then displays the images that nearby 
are browsing. Live demos are jinxed, so tripi 
everything. 


MISSION 


I’d Tap That 



MISSION 


Going All the Way 



Success: The students got the point But 
next time, verify that all students are 18 + 
before the demo, ffl Hacker Cred 


Hacker Cred 


Moi-misr 


MISSION 


That’s What She Said 

Ww don't ahvays warn to stare your cocmefwboro 
wrtti the world experiment with a new security 
scheme ter cniUar phone cals 

*$ WEB PROCURfMENT 

Get a bunch of cheap handsets lor your experiments 

HARDWARE HACKING Oft * CONNECTIONS 

Ccfchte together some furc^nrc to ad as a oel prior* 
baas tNften or borrow He reel theig lorn a friend 

*£ CRYPTANALYSTS 

Deepn Ahd implement your new encryption scheme 


Success: a Hacker Cred Your new 
celular protocol is great—now there's one 
more secure option that companies can 
decide not to use. 

Failure: a Hacker Cred Discard one Bag 
of Tricks card that you have in play 


























References! 


MISSION 



Here's Looking at You, Kid 

A **6c«n-«9Jf>fed tfi-h robot n iw tabs mk 

---4.- - 

tojw wng me 
j friend's house V? 

bor 

^ NETWORK NIHJ 

I End your toek of tnc 

FORfNSKS -1 
MxtffMHbggingp 
aacutfr crtarmifcxi k 


MISSION 
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Security Jokes 



MISSION 


NEWB JOB 


✓ 


9 6 31 25 26 27 28 6 1 7 13 

Ybur nephew needs help with his math homework. 
Help him solve these cryptograms. 

CRYPTANALYSIS 

2 14 12 12 27 , 23 27 6 12 16 — 16 15 16 
31 27 21 14 18 25 14 9 26 13 27 7 14 26 2 
15 20 28 14 12 13 14? 

CRYPTANALYSIS -1 

23 2 1 26 ’ 13 31 27 21 6 9 6 31 25 26 27 
30 21 ? 16 15 16 31 27 21 20 27 26 15 9 14 
26 2 1 26 26 2 15 13 23 1 13 14 20 9 6 31 
25 26 14 16 23 15 26 2 6 13 1? 

NOTE: Solving these cryptograms is optional. 

Groovy, but optional. 


Success: No reward. You were expected to 
succeed. 

Failure: ff] Hacker Cred. 
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Development Process 





Development Overview 



oops, too late now 



Review 


Bu 
i T 

dget a 
imelin 

■ 



m 




Set Goals ] 







Arrange 

i Production , 





V. I I 


^ >' 






(Play)Test 




CllTRIL-flLT H 






Development Overview 




Review 


Bu 
i T 

dget a 
imelin 

■ 



r 




Set Goals ] 




* 


A 

Develop 


1 i' 

L 

and 

i 


Graphics 



* 






r 

i Pi 

Arrange 

roductic 

in 



w 








Card Topics 



neat attack techniques or characteristics 

special equipment 
man-hours 
distraction 

o enter building when there's a large conference going on 
false positives with alarm systems 


technical skills 
physical skills 
locial skills 

inside information: design sc 
inside information: implemen 
inside information: usage or 
anonymity 

web tracking / advertisers 
o history stealing 
legislative changes 
online predators 
standards changes 
latent threat 

diverse geographic jurisdictic 
3d printing 

destroy forensic logs 
buffer overflow 
DDoS 
DNS 

SSL cert problem 
reverse engineering 
using the reflections on teapi 
Extortion 

Firesheep (kind of - we have 
resale of ill-gotten goods 
human CAPTCHA-solving se 
Don't lose sensitive informat 


target technologies 

high-tech soda machine 
antivirus definitions 
medical devices 
elevators 
airport 

synthetic biology 
bank 
voting 

targeted malware 
bad random number generators 
some missions involve non-technical things, like 
appeal of computer science) 
do something with eTextHes 
power grid 
train system 
traffic lights 

coffee shop snooping/injection 
RFID/ID systems 
casinos/gambling machines 
Augmented Reality 
Personal Sensors 

3D printing (although there is a 3D printing-re I ate 
water 

food (shipping) 


Other category 

• CISSP certification - costs money. 

• Maybe need to get trained in ethics? 

• Does this fit here or with interesting times: You find a vulnerability and go straight to the 
media without thinking through the consequences. In this case, you should have told the 
manufacturers first. Lose reputation / get reprimanded. 

• Another thing to do with money (if fail a mission): Donate to the EFF, donate to UW, 
donate to Tor. 

customers 


• charity 

• friend or family 

• government 

• company 

• university 

attackers 

• hobbyist 

• employee 

• honest but curious 

• neighbor 

• script kiddy 

• government 

• organized crime 

• group (a la anonymous) 
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Ninja Burger Skills 


• Combat 

• Stealth 

• Disguise 

• Climbing 

• Customer Service 

• Driving 

• Math 

• Ninja Lore 

• Computers 

• Animals 

• Swimming 


Control-Alt-Hack Skills 


• Hardware Hacking 

• Network Ninja 

• Social Engineering 

• Software Wizardry 

• Cryptanalysis 

• Lockpicking 

• Forensics 

• Search Fu 

• Barista 

• Connections 

• Web Procurement 
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The Process 



Hn Trailin' 


n 


C 


V 


Ah've got a hankerin' for thet Ninja 
Burger goodness ... 

(1) Combat at -1 : Meet Jim Bob's 
neighbors. 

(2) Animals: Meet Jim Bob's pit bull. 

(3) Combat at +1 : Meet Jim Bob's kids. 

(4) Customer Sendee: When Jim Bob smiles, smile back, 

Success: Gain 1 Honor and the Branch Manager’s respect. Next 
round, draw two Mission cards; you may take both to the 
Staff Meeting before you decide which to play. 

Failure: Lose 1 Honor. 
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Ninja Burger Skills 




Combat 


• Stealth 


• Disguise 

• Climbing 




Customer Service 


• Driving 


• Math 






Ninja Lore 

Computers 

Animals 




Swimming 


Control-Alt-Hack Skills 




Hardware Hacking 




Network Ninja 
Social Engineering 
Software Wizardry 
Cryptanalysis 
Lockpicking 
Forensics 
Search Fu 
Barista 
Connections 


Web Procurement 
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Try 1 



(47) Something about a startup 

What's the startup about? It could be a generic social networking 
blah blah, but how about maybe powerline emission security? 

Connections. Use your connections to get funding. 

Hardware Hacking at +1. 

Hardware Hacking at -1. 

Cryptanalysis. Devise a scheme to add white noise/filter... 

Success: +1 Reputation. Next round, draw two Mission cards; you 
may take both to the Staff Video Conference before you decide which 
to play. 

Failure: -1 Reputation. 
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Try 2 



(47) Crash Test Dummy 

The wheel sensor's connected to the ... engine computer; the 
engine computer's connected to the ... brake computer. The modern 
automobile is completely drive-by-wire. 

Cryptanalysis. You can plug into the car's internal computer 
network, but you need to bypass the authentication scheme before 
you can get anywhere. 

Hardware Hacking at+1. Hack the engine. 

Hardware Hacking at -1. ...and the brakes. 

Connections. Get access to a race track for some road testing. 

Success: +1 Reputation. Lights, speedometer, transmission, 
airbags - is there anything on the car that you cant control? 

Failure: -1 Reputation 
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Ta-Da! 



MISSION 


Crash Test Dummy 

The wheel sensor's connected to the.. engine computer; 
the engine computer s connected to the.. brake computer. 
The modem automobile is completely drive-by-wire. 


CRYPTANALYSIS 


You can plug into the car’s internal computer network, 
but you need to bypass the authentication scheme 
before you can get anywhere. 

HARDWARE HACKING +1 

Hack the engine. 

^ HARDWARE HACKING -1 

.. and the brakes. 

fc CONNECTIONS 

Get access to a race track for some road testing. 

Success: t a Hacker Cred. Next round, 
draw an extra Mission card; you may take 
both to the Staff Video Conference before you 
decide which to play (and discard the other). 


Failure: 


Hacker Cred 

A 


conm-misr 







One down... 



Mission Card 

Combat 

Stealth 

Disguise 

Climbing 

Customer Service Driving Math Ninja Lore 

Computers 

Animals 

Swimming Type of Technology 

Adversary 

Capabilities 

Adversary 

Motivations 

Attack Techniques Security Goals 

Possible Mapping 

Hardware 

Hacking 

Network 

Ninja 

Social 

Engineering 

Software 

Wizardry 

Cryptanalysis Lockpickir Forensi Search Fu 

Barista 

Connections (aka Con 
Speaker or Social 
Network, was Legal) 

eBay 




Errand: Work the Phones 





0,-1 







Figure Skating 
Championships 



0.-1 





airports (not 
airplanes) 

social engineering 

cause havoc 

social engineering, 
uniforms 


Frat House 
Game Store 
Health Spa 
Ice Station Giraffe 


International Space Station 
Jim Bob’s Trailer -1.1 


Jury Room 


La Maison Ritzee 
Ladder Company No 6 

Lighthouse 

Little Sally Down the Well 
Mad Scientist's Lab 
Mardi Gras 
Mongoplex 50 
Mount Everest 

Nuclear Submarine 

Office Cube 2357-B 
Officer Friendly 
Pirate Ship 
Pitcher's Mound 

Primate Research Center 
Ren Faire 


Rival Fast-Food Restaurant 


-1 or 
Disguise 
-1 


-1 or Stealth 
-1 


0,-1,-2 


0 

-3 

0 OR 

0 Swimming 


OOR 

Swimming 


social networking / 
phishing 

Infrastructure. 

cyber-physical 

electronic voting 
0 OR Driving machine 


0 0 OR Swimming 


0 OR 
Animals 


0 OR 
Climbing 


cyber-physical 
system / railroad 


shredding 


locks, files 
(conventional) 


disinformation. 

software 

vulnerability on a 

financial motivation web site integrity 

damage reputation spear phishing 
of company email protect reputation 

social engineering 
(phone call), exploit integrity / 
accidental, bored unpatched software availability 


change election reverse engineering integrity of election 


political purposes 


confidentiality, 

tape + dumpster proper disposal of 

diving data 

lock picking, 

password cracking 

based on weak 

passwords_confidentiality 
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Development Overview 




Review 
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Set Goals ] 










1 (Play)Test 1 








Playtesting 



Instruction refinements...clarifications... 
Attendance cards! 


r i 


ATTENDANCE 


ATTENDING 


If you choose to attend the Staff Video 

Conference, piay the card face down during 

Phase 2. 

If you attend the Staff Video Conference, you: 

> draw an additional Entropy card. 

> may trade or bargam with other players to 
exchange Missions 

> may be stuck with a Newb Job, if you have 
a low Hacker Cred score (see rules). 

> may push your Newt) Job onto a player 
with a low Hacker Cred score (see rules). 


If you are the only player who attends 
the Staff Video Conference, you also get 
one free re-roll dunng your Mission. 


NOT ATTENDING 


If you choose to NOT attend the Staff Video 
Conference (and Instead have "connectivity 
issues"), play this cant face down during 
Phase 2. 


If you do not attend the Staff Video 
Conference, you get one free re-roll during 
your Mission. 


cwiii-iiii nir 
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Still not perfect 



MISSION 


Lights, Camera, Hack! 

You've been hired to consult on a new 
cyberthriller movie. 

CRYPTANALYSIS 

Look through the script for blatant inaccuracies. 

& SOCIAL ENGINEERING +3 

Can you convince the producers that hacking doesn't 
actually look like a speed-typing race? 


[ You’re [lon’t know that many 
s mat coae in leather bodysuits or 


Success 

hackers 1 

designer sunglasses, but no one in your 
office is complaining, ffl Hacker Cred 

Failure: You've already told everyone about 
consulting on the movie, so its inaccuracies 
are triply embarrassing. Q Hacker Cred 


CDHinoL-mrlB 
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The Big Picture 






What We Did 



We made a card game! 

The game is designed to be fun 

• An essential property! 

While also 

• Raising awareness 

• Educating 

• Promoting communication 

Fun game with educational content - not 
educational game 







What We Did 



Toward meeting these goals 

• Highly iterative content creation 

• Professional design, professional manufacturing 

• Copies to give away 

• Copies to sell 
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Learning More 



Website: http://www.ControlAltHack.com 

Twitter: @ControlAltHack 

#ControlAltHack 


List: 


control-alt-hack@cs.washington.edu 

(announcements only) 









At the printer now! 


Available for sale soon 

• Selling so that it’s self-sustaining and broadly 
available 

• Planning to use a large, Seattle-based online retailer 

• Go to http://www.ControlAltHack.com to sign up for 
announcement emails, or follow @ControlAltHack for 
announcements 

• Being sold by RGB Hats, LLC 
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Free Copies 



For U.S.A.-based educators 

• We have a limited number of copies that we can give 
to educators for educational uses (we’ll filter) 

• Visit http://www.ControlAltHack.com to apply 
Educators? 

• High school AP computer science classes 

• Freshman, sophomore computer science classes 

• College computer science clubs 

• Other? 

(High school teachers may wish to remove a few 
cards from the deck) 
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Future Game Content 



Current deck (based on the original Ninja Burger) 

• 56 Missions 

• 72 Entropy Cards 

Possible expansion deck (based on the Ninja Burger 
expansion deck) 

• 72 new cards 

Ideas for new cards? See 
http://www.ControlAltHack.com 
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THANKS TO! 




cohtaoi-aliGM 







Call To Action 






Call To Action 



Go get the game 
Go play the game 
Share the game with others 
Tell us how it goes 

Go make your own games 
Go add carrots to your toolbox 








Tammy Denning 


Yoshi Kohno 


Adam Shostack 


University of Washington 



Please complete speaker feedback 
surveys! 



http://www.ControlAltHack.com 


@ControlAltHack 

#ControlAltHack 













